CISA issues advisory on Securly Chrome Extension vulnerabilities in data and access control

Version 3.0.7 of the Securly Chrome Extension includes vulnerabilities that affect data handling and access control, with potential exposure of sensitive filtering rules and the ability to manipulate configuration and filtering behavior. The issues include insecure data transmission, weak cryptography, and improper access control that can result in denial of service and unauthorized access to protected resources.

The advisory lists multiple issues in the extension. CVE-2026-8874 describes version 3.0.7 downloading JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API, while other endpoints fetch IWF and CIPA data over HTTPS, showing inconsistent TLS implementation. CVE-2026-8876 involves hardcoded, plaintext AES passphrases in securly.min.js that decrypt crisis alert keyword data and intervention site data. CVE-2026-8878 reports publicly accessible endpoints that allow unauthenticated access to sensitive data, where the exposed information is SHA-1 hashes inadequately obfuscated with a simple Caesar cipher that can be reversed to recover the original hash values. CVE-2026-8879 states the extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime, not declared in manifest.json; it runs on all URLs, hides all page content, creates a full-page overlay, pauses all videos, and restores content only when the service worker confirms the page passes filtering, with pages remaining indefinitely hidden if Securly’s servers are unreachable. CVE-2026-8881 covers EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption, with MD5 broken since 2004 and single iteration providing no key stretching, enabling efficient offline cracking. CVE-2026-8888 describes downloading config.json over HTTP and compiling server-provided patterns as JavaScript regular expressions using new RegExp() without complexity validation; an on-path attacker can inject patterns that cause catastrophic backtracking and denial of service on all browsing. CVE-2026-8889 reports deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).

Collectively, the vulnerabilities enable multiple attack paths and threaten the security and privacy of student users, for which the extension may be academically mandatory. The HTTP configuration downloads (CVE-2026-8874, CVE-2026-8888) and weak cryptographic primitives (CVE-2026-8876, CVE-2026-8881, CVE-2026-8889) allow a network-adjacent attacker to intercept, modify, or decrypt data related to keyword filtering. The unauthenticated publicly accessible endpoints with trivially reversible obfuscation (CVE-2026-8878) further expose internal keyword lists, blocklists, and rule definitions, enabling reconstruction and manipulation of the extension’s filtering logic. For student users, the advisory describes exposure to content intended to be blocked or inappropriate blocking of legitimate educational resources. The undeclared, dynamically-registered content script (CVE-2026-8879) can be abused to fully obscure web pages, leading to denial of service conditions for end users.

Coordination with Securly could not be completed. Until a patch is available, administrators can lower potential exposure by restricting usage of the extension on untrusted or public networks, installing school-managed VPNs on underlying devices, and monitoring for unexpected or abnormal filtering behavior.

Thanks to the reporter Santh for discovering and researching the vulnerabilities. The document was written by Molly Jaconski.

Data Center Networking and Telemetry as a Foundation for AI Agents at Cisco

MUFG Network Incident Correlation Agent correlates Splunk, SolarWinds, and Nexus to cut MTTR

Aviz Networks Network Copilot Agent SDK details agent architecture and MCP governance